latest insights

seculert blog

With the election only a week away, the discussion about how the upcoming U.S. presidential election may or may not be “rigged” is being closely watched. ‘Election hacking’ reports from CNN, the Washington Post, and even the candidates themselves provide yet another debate platform regarding the possibility of corrupted election results. For the purpose of this blog let’s set aside the fact about our national election system is far too distributed for any widespread national vote theft to occur and explore the more likely technological aspects of “hacking an election” through swing states...and what we know through Seculert Labs analysis.

Nymaim is mostly known worldwide as a downloader, although it seems they evolved from former versions, now having new functionalities to obtain data on the machine with no need to download a new payload. Some of the exported functionalities allow harvesting passwords and browsers data from the machine, hidden on the file system until communication occurs. Payloads downloaded from the C&C are not saved locally on the machine but instead are loaded dynamically to memory with a unique internal calling convention.

One of the signature features I noticed when I began analyzing the Nymaim payload were the novel anti-reverse engineering and obfuscation techniques. Frustrating the analyzer many different code pieces for the same function requires piecing them together in order to fully understand the code. Most of the code is heavily obfuscated using ‘spaghetti code’ methods but we'll dive into that in a 1 (bit).

While attack tools around the world are stealthy and stay under the radar, we at Seculert examine many different malicious tools. This is done to stay at least one step ahead of the attackers, and improve our advanced analytics technology to detect their artistic evasive techniques.

InfoSec professionals know that most so-called Advanced Persistent Threats (APTs) are, frankly speaking, not truly APTs. But every now and then, a real persistent attack using different advanced evasive techniques emerges on the cyber threat landscape, and it’s critical for organizations to sit up and take notice. And the most recent addition to this Most Unwanted List is courtesy of a hacker group calling itself ProjectSauron.

A significant and respected collective of global IT security professionals congregate in the U.S. twice yearly, for RSA during the mild and temperate San Francisco winters, and later for Black Hat & Defcon, annually held in the sweltering and abysmal heat of a Las Vegas August.

Unfriendly outdoor temperatures aside, last week's #BHUSA 2016 featured all of the usual demonstrations of 'how to hack anything with a network connection', keynotes by industry luminaries, and parties (it is Vegas after all). The problem with being on the ground at Black Hat is that no matter how much effort you expend, it's only possible to see and absorb a portion of it - even if you spend every waking hour in sessions or on the show floor. Thus, I've made it a ritual to review and read what other attendees had to share in the aftermath of these conferences.

Those of you who follow this space may likely have noticed Seculert's announcement of a significant product line extension 60 days ago. The "Seculert Javelin Attack Simulator" is the culmination of our efforts to extend a critical piece of the knowledge embodied in Seculert's "Attack Detection Platform" to a wider audience.

Say you’ve got a bucket with some holes in it. Much like Henry in the famous song, you would really like to mend them. But, before you actually mend the holes you would need to discover whether you do have open holes, or maybe all of them are already mended.

Similarly, as the person in charge for the security of your enterprise network, you would most likely want to know if your web gateway (whether it’s a proxy, a secure web gateway, or next gen firewall) will be able to block the attackers’ tools from communicating back to the attackers. Because, we all know by now that eventually an attacker will be able to get inside your network and compromise at-least one of the devices. In fact, in our recent research we discovered that an average of 2% of the devices in a typical enterprise environment are already compromised.

This is exactly why Seculert created Javelin. Javelin is an attack simulator, which will “pour water” across your network environment and will try to reach out to places which your web gateway should have already blocked.In order to do that, we have picked the top and latest bad actors that we could find by analyzing the traffic logs of our 2 million enterprise users. We then safely simulate the outbound communication behavior of each of the tools those bad actors are using in their attacks. You then have instant visibility on whether your web gateway was able to block those potential attacks or not. This is all done without the need to install any software or hardware.

If your web gateway is configured properly, and it is really is able to protect you against the latest attacks, you should see a result similar to this:

With the election only a week away, the discussion about how the upcoming U.S. presidential election may or may not be “rigged” is being closely watched. ‘Election hacking’ reports from CNN, the Washington Post, and even the candidates themselves provide yet another debate platform regarding the possibility of corrupted election results. For the purpose of this blog let’s set aside the fact about our national election system is far too distributed for any widespread national vote theft to occur and explore the more likely technological aspects of “hacking an election” through swing states...and what we know through Seculert Labs analysis.

Nymaim is mostly known worldwide as a downloader, although it seems they evolved from former versions, now having new functionalities to obtain data on the machine with no need to download a new payload. Some of the exported functionalities allow harvesting passwords and browsers data from the machine, hidden on the file system until communication occurs. Payloads downloaded from the C&C are not saved locally on the machine but instead are loaded dynamically to memory with a unique internal calling convention.

One of the signature features I noticed when I began analyzing the Nymaim payload were the novel anti-reverse engineering and obfuscation techniques. Frustrating the analyzer many different code pieces for the same function requires piecing them together in order to fully understand the code. Most of the code is heavily obfuscated using ‘spaghetti code’ methods but we'll dive into that in a 1 (bit).

While attack tools around the world are stealthy and stay under the radar, we at Seculert examine many different malicious tools. This is done to stay at least one step ahead of the attackers, and improve our advanced analytics technology to detect their artistic evasive techniques.

InfoSec professionals know that most so-called Advanced Persistent Threats (APTs) are, frankly speaking, not truly APTs. But every now and then, a real persistent attack using different advanced evasive techniques emerges on the cyber threat landscape, and it’s critical for organizations to sit up and take notice. And the most recent addition to this Most Unwanted List is courtesy of a hacker group calling itself ProjectSauron.

A significant and respected collective of global IT security professionals congregate in the U.S. twice yearly, for RSA during the mild and temperate San Francisco winters, and later for Black Hat & Defcon, annually held in the sweltering and abysmal heat of a Las Vegas August.

Unfriendly outdoor temperatures aside, last week's #BHUSA 2016 featured all of the usual demonstrations of 'how to hack anything with a network connection', keynotes by industry luminaries, and parties (it is Vegas after all). The problem with being on the ground at Black Hat is that no matter how much effort you expend, it's only possible to see and absorb a portion of it - even if you spend every waking hour in sessions or on the show floor. Thus, I've made it a ritual to review and read what other attendees had to share in the aftermath of these conferences.

Those of you who follow this space may likely have noticed Seculert's announcement of a significant product line extension 60 days ago. The "Seculert Javelin Attack Simulator" is the culmination of our efforts to extend a critical piece of the knowledge embodied in Seculert's "Attack Detection Platform" to a wider audience.

Say you’ve got a bucket with some holes in it. Much like Henry in the famous song, you would really like to mend them. But, before you actually mend the holes you would need to discover whether you do have open holes, or maybe all of them are already mended.

Similarly, as the person in charge for the security of your enterprise network, you would most likely want to know if your web gateway (whether it’s a proxy, a secure web gateway, or next gen firewall) will be able to block the attackers’ tools from communicating back to the attackers. Because, we all know by now that eventually an attacker will be able to get inside your network and compromise at-least one of the devices. In fact, in our recent research we discovered that an average of 2% of the devices in a typical enterprise environment are already compromised.

This is exactly why Seculert created Javelin. Javelin is an attack simulator, which will “pour water” across your network environment and will try to reach out to places which your web gateway should have already blocked.In order to do that, we have picked the top and latest bad actors that we could find by analyzing the traffic logs of our 2 million enterprise users. We then safely simulate the outbound communication behavior of each of the tools those bad actors are using in their attacks. You then have instant visibility on whether your web gateway was able to block those potential attacks or not. This is all done without the need to install any software or hardware.

If your web gateway is configured properly, and it is really is able to protect you against the latest attacks, you should see a result similar to this: